#########################################
Application:    Internet Explorer 
Vendors:        http://www.microsoft.com
Version:         6.0.2800
Platforms:       Windows
Bug:             Certificate Stealing (Phising)
Risk:            Medium 
Exploitation:    Remote with browser
Date:            30 Apr 2004
Author:          Emmanouel Kellinis
e-mail:          me@cipher(dot)org(dot)uk
web:             http://www.cipher.org.uk
List :           BugTraq(SecurityFocus)
#########################################


=======
Product
=======
A popular Web browser, created by Microsoft, 
used to view pages on the World Wide Web.

===
Bug
===

In Internet Explorer enables someone to use an 
ssl certificate in a website which belongs to 
someone else.A combination Refresh and OnUnload 
on BODY tag. This bug can be used in 
Phising scams.



Lets say that we want to use  example.com 
certificate.


We point with REFRESH Meta Tag that website.

< meta http-equiv="REFRESH" 
  content="0;url=https://www.example.com/" 
>

Then inside our BODY tag we use onUnload to inform 
the webbrowser what to do when it will unload that 
webpage (using the window.location method).

< BODY onUnload='window.location=""' >

The result of that will be,
the browser will inform us if we want to use the 
certificate of example.com (If we trust that party 
we will say yes)Then the contents of the protected 
webpage will be downloaded to our website using our 
domain name .

We have something like that on the URL field of IE.
Address : http://www.ourdomainname/FakeSSL.html
then we have the contents of the index page of example.com 
in the browsing area and the SSL lock (right corner).

*Remember that we are in the fake website all that time.


If inside the index page links and forms use virtual 
pointers to directories or files
(e.g. images/ or form/submit.php) we can use the trust 
of the visitor and steal information. 
(e.g. via submit forms).

NOTE: the lock in the right corner doesnt work, if you 
click it says "this type of document does not have security 
certificate" which mean that this lock shouldnt be there , 
in case that a visitor will check the certificate only in 
the the popup window at the begining of the session and after 
loading the webpage will not check the validity using the right 
corner lock, then we fake the certificate.

=====================
Proof Of Concept Code
=====================

< html>
< head>
< title>Your Page Title</title>
< meta http-equiv="REFRESH" 
  content="0;url=https://www.example.com/">

< META HTTP-EQUIV="Content-Type" CONTENT="text/html;"> 

< /HEAD>
< BODY onUnload='window.location=""'>

< /BODY>
< /HTML>

====
FIX
====
Do not use virtual directories , instead use the real path or url
Refresh access to the root directory



=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================